Subj : Zyxel says it wont patch security flaws in its old routers
To   : All
From : TechnologyDaily
Date : Thu Feb 06 2025 15:15:07

Zyxel says it wont patch security flaws in its old routers

Date:
Thu, 06 Feb 2025 15:10:00 +0000

Description:
The devices reached their end-of-life and are no longer supported despite 
being popular in the market, Zyxel warns.

FULL STORY
======================================================================Security
 researchers warn of two Zyxel flaws being abused in the wild The 
manufacturer confirmed the findings but said the devices are no longer 
supported Users are advised to migrate to newer models 

Zyxel has acknowledged a number of security issues with some of its most 
popular routers , but says it won't be issuing any patches due to the devices 
reaching their end-of-life. 

Security researchers first discovered two vulnerabilities in a number of 
Zyxels internet-connected devices in summer 2024 , and warned earlier this 
month that the flaws are being exploited in the wild. 

In a newly released security advisory, the Taiwanese networking gear 
manufacturer acknowledged the flaws, and the fact that theyre being abused in 
the wild, but stressed that the vulnerable devices are past their end-of-life 
date and thus are no longer supported. Instead, users should migrate to 
newer, still supported devices. Wide attack surface 

The two vulnerabilities are tracked as CVE-2024-40891 (improper command 
validation), and CVE-2025-0890 (weak default credentials flaw). 

Zyxel recently became aware of CVE-2024-40890 and CVE-2024-40891 being 
mentioned in a post on GreyNoises blog. 

Additionally, VulnCheck informed us that they will publish the technical 
details regarding CVE-2024-40891 and CVE-2025-0890 on their blog. We have 
confirmed that the affected models reported by VulnCheck, VMG1312-B10A, 
VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, 
VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, 
are legacy products that have reached end-of-life (EOL) for years. 

Therefore, we strongly recommend that users replace them with 
newer-generation products for optimal protection, Zyxel said in the advisory. 

In its writeup, BleepingComputer says that both FOFA and Censys are showing 
more than 1,500 Zyxel CPE Series devices exposed to the internet, suggesting 
that the attack surface is significant. At the same time, VulnCheck also 
shared a proof-of-concept (PoC) against VMG4325-B10A running firmware version 
1.00(AAFR.4)C0_20170615, showing that the attack is more than just 
theoretical. 

"While these systems are older and seemingly long out of support, they remain 
highly relevant due to their continued use worldwide and the sustained 
interest from attackers," VulnCheck said. "The fact that attackers are still 
actively exploiting these routers underscores the need for attention, as 
understanding real-world attacks is critical to effective security research." 
You might also like Zyxel, ProjectSend, CyberPanel vulnerabilities actively 
exploited, so patch now We've rounded up the best password managers Take a 
look at our guide to the best authenticator app



======================================================================
Link to news story:
https://www.techradar.com/pro/security/zyxel-says-it-wont-patch-security-flaws
-in-its-old-routers


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.